Simple right? Wrong; especially when I came across many blogs attempting to address RDS certificate issues. This one post gets you 90% there but was not complete. Specifically, see the red section below.
Steps:

Get a certificate (in my case, a GoDaddy wildcard cert)

Assign the certificate to the RDS roles. Refer to this great post with screen shots.

Extract the certificate thumbprint, remove the “Get-Childitem Cert:\LocalMachine\My” PowerShell command on your RDS server or follow the steps outlined on Morgan Simonsen’s blog. Make sure you properly format the thumbprint: no spaces, all caps.

Yet after repeated gpupdate /force and a full reset of IE settings, the dialogue warning persisted. Then I stumbled across these two nuggets: here combined with 2nd post down here. The “Specify SHA1…” GPO was not adding the proper “PublisherBypassList” keys.The solution? Manually adding the “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\PublisherBypassList” as a User Configuration GPO registry update.Notice the key is the thumbprint above with an additional “00” placed at the end.The easiest way to verify the key is to check the “Do not remind me….” on the RDS prompt. It will save the thumbprint for you in the proper format.

My Linksys E3000 dual radio wireless router was finally retired last week for a Netgear Nighthawk R7000. In the early days I ran DD-WRT exclusively, but in the last two years I have split between Tomato (Shibby) and DD-WRT depending on application (i.e. Tomato as router, DD-WRT for wireless briges, repeaters).

(Table courtesy of Wiki Devi).
For a router released in early 2010 (over 5 years old), the E3000 still holds it own. You can overclock it to 532mhz, has a 2.4GHz and a 5.8GHz radio (simultaneous), it supports both DD-WRT & Tomato, and the throughput is still impressive; ~130mbps routed on Shibby v130.

As part of designing a campus wireless solution, we searched-and-searched for a cost effective way to create per room/apartment VLANs; e.g. residents and students have a wireless printer, a Roku, an Apple TV, and mobile devices that all need to talk mDNS & UPnP on a “local” network. Typical client-to-client isolation on campus wireless APs make this difficult. Currently we have older integrated DOCSIS cable modems with wireless routers providing this “local” network (e.g. Motorola SBG901)

So, after many hours with vendors and internal discussions, we made a decision: the best, simplest, easiest option is to create wireless routed bridges. Refer to this DD-WRT wiki page on “Linking Routers“; specifically “Client Bridged“. Not all residents will need this solution; only those with wired desktop(s) and those needing a “local” network for devices.

That solution leads us back to the Linksys E3000. For ~$35 on eBay, with its open-source firmware support and having two radios, it is an ideal candidate to create cost-effective, high performing, wireless routed client bridges. The 5GHz radio in client mode as the WAN connection, connected to our campus wireless dual-band APs. The 2.4GHz radio and LAN switch ports providing a local, routed private network for resident devices (e.g. 192.168.1.X).

Turning back the clock: Convert a WRT610N v2 to E3000

It just so happens that Linksys also made the WRT610N v2 with identical hardware to the E3000. Here are the steps (loosely based on this post):

Search for “1E00” and hit “OK”. This will show you the MAC address location. Flip over your WRT610N v2, find the MAC address on the back, and type in the MAC address delimited by colons (:); e.g 00:00:00:00:00:00. HxD will prompt you if make a mistake (e.g. “this operation changes the file-size”); DO NOT hit OK. You do not want to change the file-size. Hit “Cancel”.

Do the same for the serial number. Search for “3FE30” and fill in the serial number.

And the same for the PIN; search for “3FCDC” and enter the PIN number from the back without the dash (-).

Save your newly customized CFE .bin.

Login to DD-WRT, go to the Services tab, and “Enable” the SSHd. Hit “Apply”.

Wait. A-long-time. The router will reboot a couple of times. Then retry to login to the web interface. You will not be able to login (NVRAM still contains the encoded DD-WRT password). Get a pen or paperclip, push and hold the reset button for 30 seconds, while holding the reset button, pull the power, count to 5, and plug it back all while holding the reset button. Keep holding the reset button for another 30 seconds and finally release. The router will reboot one final time.

You should now be able to login to the OEM firmware with “admin” as the username and “admin” as the password.

Flashing DD-WRT or Tomato Firmware (non-OEM)

Get on OEM factory firmware. Follow the prior three steps above to get to the factory E3000 firmware from Linksys. Make sure you also clear the NVRAM and be patient while it resets.

After flashing either Tomato or DD-WRT, login to the web interface and clear the NVRAM (again). In Tomato, go to “Administration” then “Configuration”, and do a “Thorough” NVRAM erase. In DD-WRT, go to “Administration” then under “Factory Default”, select “Yes” and hit “Apply”.

Wireless Client Bridged: DD-WRT

On “Setup” tab, set Timezone & NTP:
Time Zone:

US/Eastern

Server:

0.north-america.pool.ntp.org

Hit “Save”

Go to the “Wireless” tab.
Set the bottom wireless adapter (5GHz) mode to “Client”.Set Network Name to the wireless network/SSID you want to connect the bridge. For example, “BV”. In a wireless client bridge, think of this as a WAN connection replacing the hard-wired physical WAN port.Set the top wireless adapter (2.4GHz) to the local network/SSID. For example, “Resident Network”. Choose 20MHz. Pick a channel (do not leave auto).

Go to “Wireless Security” sub-tab (in the “Wireless” tab).Set both to WPA2-Personal, AES (Do not use the TKIP+AES).
Wireless Security for 2.4GHz radio; whatever password you want for the local network.
Wireless Security for 5GHz radio; password for the network you are connecting to as your WAN.
Hit “Save”.

Reboot router for changes to apply (or click “Apply”; full reboot preferred).
After reboot, login to DD-WRT (192.168.1.1) again and look upper right; it should show a WAN IP in the range of the wireless network you are bridging.

Wireless Client Bridged: Tomato

This assumes Tomato; DD-WRT can be a client AND a repeater (which means you can be a 5GHz client and be an AP for 5GHz clients). But in the interest of keeping this simple, the 5GHz radio will be the client, the 2.4GHz radio would be the AP for “local” clients. I also had issues getting “Repeater” or “Repeater Bridge” mode working on DD-WRT (newer builds have issues).

Log into the web interface and go to the “Basic” then “Network”. Refer to the screenshot below.

Type: DHCP assuming the AP you are connecting to assigns IPs

Under “Wireless (2.4 GHz / eth1)” this is the setup of the “local” wireless connection in a private subnet to be routed out of the 5GHz WAN/internet connection.

Under “Wireless (5 GHz / eth2)” set to “Wireless Client”. Enter the exact SSID and password/key used to connect to the exiting 5GHz network. Be careful: everything is case sensitive.

In conclusion…

For $20-$35, you have a very fast (upwards of ~130mbps) routed wireless 2.4GHz repeater with a 5GHz uplink (client) for the WAN/internet. The irony is that it is less then similarly performing USB dual band wireless adapter and its much more versatile. Enjoy.

Part 1 is a “technology parenting” overview. Part 2 is the technical “horsepower” and resource for securing your home internet connection. Securing your router is a foundation of Part 1 and, in my professional opinion, a best practice for anyone using the internet.

I am passionate about my faith, my family, and Technology. This post combines all three. Even if you do not believe in Jesus as Christ, hopefully the concepts and technical information apply to all parents.

Backstory

Over the past five years, I consulted and built a close relationship with a high-profile, local bank executive. He shared with me the struggle of raising two teenagers and the challenge Technology has been specifically for his son. Porn, inappropriate apps, excessive video games, etc. We reviewed options, put a technical and practical plan in place, and I got to see secondhand how knowledge today’s teens’ are with technology. His son promptly attempted, unsuccessfully, an iPhone restore and hard reset his Xbox 360. You get the idea.

After having individually consulted over 100 families, it is clear: parents are completely over-matched for today’s Technology with their kids. Parents with good intentions need better tools and a boost in knowledge. To test my message, I presented this material and conducted a follow-up technical workshop at our church, Calvary Church, with the counseling pastor. It confirmed the need: over 80 parents and 40 routers were issued to protect families. Here is the material.

Overview PowerPoint

First and foremost, as a parent, the focus must be on their hearts, minds, and your relationship with them. The technical aspects are to provide “guardrails” and support parenting. Please browse the PowerPoint (or via pdf).

Parent Technology Matrix

A visual to effective “technology parenting” is matrix that guides parents at each age on how to interact with technology. As mentioned, this is based on Christian values, but I believe it applies to all families looking to be proactive and deliberate on implementing technology in the home. Again, this matrix is a guide. Here is the source Word .docx (or via pdf).

Feedback

I got a wealth of feedback; mostly positive. Some parents shared this matrix is not realistic. They shared their second grader was using required iPads at school, etc. The irony is how the Children’s Online Privacy Protection Act is to protect kids under the age of 13 years old, yet kids under the age of 13 years old are the primary offenders. Parents also shared that having multiple kids, especially those that are spread out, create technical challenges on how to implement content filtering. See Part 2.

Next Steps

The technical-router-workshop is the next step and post. It goes into extensively detail on how to secure and insulate your home/business network from porn and malware. Open to your feedback; comment below.

This is Part 2. Part 1 is a “technology parenting” overview. Part 2 is the technical “horsepower” and resource for securing your home internet connection. Securing your router is a foundation of Part 1 and, in my professional opinion, a best practice for anyone using the internet.

Overview

By the end of this post, you will have a very cheap and powerful DD-WRT router with two SSIDs (wireless network names). One for you and your older kids with a less-restricted or no content filtering. Another wireless network for your kids that is secured with OpenDNS’ family content filter.

A quick technical commentary: A simple approach to this is a creating a “kids” VLAN. The major, which is unacceptable for most homes, is that in a home/SMB network you want everything to be on the SAME VLAN. Having separate VLAN breaks every “newer” convience such as AirPrint, DLNA, Rokus, Screen Mirroring, wireless printers, etc; basically anything that relies on SSDP and mDNS. Said another way, if you have separate VLANs, kids on their “kids” content filtered network could not print to your wireless printer on the “parents” VLAN; and vice versa. The solution I propose eliminates this issue by putting everyone on one VLAN, uses ebtables to “mark” packets from the “kids” SSID, and then enforces these “marked” packets to use a parallel instance of dnsmasq for DNS which relays to OpenDNS Family Filter (or whatever DNS servers of your choice).

On a semi-related topic, you could add a third SSID to create a guest VLAN: here is a DD-WRT guide for builds >23020 for simple creation of a guest VLAN.

Notes, Assumptions, & Prerequisites:

Refer to the next section for a support-router

You have broadband internet.

You want to protect your home. You recognize that the steps below will not protect you/your family against over-the-air data. Refer to the handout in Part 1. The steps below along with your new router protect your local wireless network only.

Connect the blue port on the router to port #1/WAN port on your modem.

As you go through the following steps, please fill out of the “Checklist and Documentation”. This is required in order to properly troubleshoot and keep you organized in the future when making changes.

When you see text in quotations (e.g. “password”), only use the text inside the quotes. Do not copy/paste the quotes. The quotes are there to make it clearer for you to read.

Hardware Needs & Original Flashing

These steps are specific to the TP-LINK TL-WR841N Wireless Router (available on Amazon for >$20). It is a cheap, DD-WRT supported router. You want a “v9.x” version router. Be aware: TP-LINK may release newer revisions that do not support DD-WRT under the same “TL-WR841N” model number.

You can flash the TP-LINK TL-WR841N v9 flashed to DD-WRT rather easily.

Download a recent build (I tested on this one from April). This is for v9 ONLY. See the bottom of the router to make it its “v9.x”. You can flash this version directly in the TP-LINK GUI. Just login to 192.168.0.1 and browse to the firmware you just downloaded from DD-WRT. For step-by-step instructions, see this post by Gregg Borodaty. Remember: you have to flash the v9 firmware.

I cover in another post how to revert back to the original TP-LINK OEM firmware if desired. Or how to cross-flash to Gargoyle which has certain benefits that I am not going to cover here.

If you have another DD-WRT router, the below configuration is basically the same with some minor but critical changes to the copy/paste steps. Post a comment if you want specific help. E.g. instead of “ath0.1” it may be “wl0.1” for Broadcom-based routers or “ath1.1” for 5GHz dual band Atheros routers (wl1.1 for Broadcom dual band 5GHz routers).

Check your email for an account confirmation email from OpenDNS. Not all email services allow hyperlinks within the content of messages, if the link in your email is not clickable copy and paste the link into your browser to confirm your account. If you click (or copy and paste) the link in the confirmation email you will be taken to your OpenDNS dashboard.

Once confirmed, move on to router setup.

DD-WRT TP-LINK TL-WR841N Router Setup

Go to http://192.168.1.1/Click “Setup” at the top and enter the following when the webpage prompts you:Username: “root” / Password: “admin” (admin is the default DD-WRT password)

First, change the default password. At the top, go to “Administration”. Scroll down and enter “root” as the username (overwriting the ••/***). Please enter a new password and re-confirm it; please make it something your kids cannot guess. Write your username and password down on the checklist at the end; #2. Scroll further down and check the box next to “Info Site Password Protection”. Go to the bottom and hit “Save”. This is the router password that you will need to make changes to the router in the future, and prevents your kids from changing settings.

Next, click on the upper left tab “Setup”. It should take you to the “Basic Setup” sub-tab. Scroll down, feel free to name your router whatever you would like under “Router Name”. Scroll to the bottom and enter the “Time Settings” as follows:
Copy/paste to make data entry easier: 0.us.pool.ntp.orgHit “Save”.

Click on the “DDNS” sub-tab at the top (next to “Basic Setup”). Select “Custom”. Enter the following information. Copy/paste below.

DDNS Service: “Custom”

DYNDNS Server: “updates.dnsomatic.com”

<Enter your OpenDNS username and password you setup earlier; should be #1 on your checklist>

Hostname: “all.dnsomatic.com”

Under URL: “/nic/update?hostname=”

Hit “Save” at the bottom.

Click on the “Wireless” tab at the top. Under “Wireless Network Name (SSID)” enter whatever you want the parents/adult/older kids network to be named. For demonstration, I am calling it “Home Wireless”. Hit Save.

Once saved, click on “Add” under “Virtual Interfaces” and enter a network name “Wireless Network Name (SSID)” for the kids. For demonstration, I am calling it “Kids Wireless”. Hit Save.

At the top, go to “Wireless Security” and under “Security Mode” select “WPA2 Personal”. Under “WPA Shared Key” enter whatever password you want for your parent wireless network. In the example, this is the “Home Wireless” network. It must be 8 characters and should not be easily guessable and not shared with kids. Hit “Save”. Write down the “Home Wireless” key on the checklist at the end; #3.

Do the same for the “Virtual Interfaces ath0.1“below. Make sure you hit “Save” from the step before then add the security information for the virtual interface. Select “WPA2 Personal”, under “WPA Shared Key” enter whatever password you want for your kids wireless network. In the example, this is the “Kids Wireless” network. It must be 8 characters and given to your kids. Write down the “Kids Wireless” key on the checklist at the end; #4.

Next click on the “Services” tab at the top. Scroll down to the “DNSMasq” section. Enable “Query DNS in Strict Order”and copy/paste the following carefully into the “Additional DNSMasq Options”. Hit “Save”.

Go to the bottom of the “Services” table and disable the last option: “ttraff Daemon” (this prevents excess nvram writes over time; leave it enabled if you want WAN traffic history). Hit “Save”.

At the top, go to the “NAT /QoS” section. Then go to the “UPnP” submenu at top. Enable both the “UPnP Service” and “Clear port forwards at startup” options and hit save. See below.

At the top, go to “Administration”. Next, click on the “Keep Alive” sub-menu at top. Hit enable for “Schedule Reboot”. Enter when you want the router to automatically reboot itself to stay healthy. E.g. below at 2:00am Sunday morning. Select the radio button to the right of “At a set time” and choose “2” under the first drop-down menu. Hit “Save”.

Go to the “Commands” sub-menu.
Copy/paste very carefully the following code into the “Commands” box.

After pasting the code above, hit “Save Firewall”. It will take roughly 30 seconds for the firewall script to save.

Lastly, go back to the “Management” sub-tab at the top, scroll the entire way to the bottom, and click the red “Reboot Router” button.

Linking OpenDNS to your home internet

(Do NOT do this away from home; These steps must be done directly on your broadband connection at your home)

First, go re-read section #1, “Notes, Assumptions, & Prerequisites” and ensure you have your Comcast or internet connection setup correctly. Confirm you modem/internet connection is in bridge mode. Your best option is to purchase your own modem (Motorola SB6141 is recommended) that does bridging by default.

The key is getting a public IP address assigned directly to your router. Not only will it make filtering work correctly, it will make the internet faster and allow ports to automatically be opened for certain devices (e.g. AppleTV, Roku, Chromecast, etc.) making those devices work better.

To check if your router is getting a proper public IP address, login to http://192.168.1.1 and look at the upper right. You will see a “WAN Address” line in white text. If that number does NOT start with “10.x.x.x” or “172.x.x.x” or “192.x.x.x” (where “x” represents any number) you are good to go. If that line starts with a 10, 172, or 192, then your modem is also a router and not in bridge mode correctly. Please call your internet provider and have them walk you through getting the modem into bridge mode.

Next you need to “Add a Network”. You will see a big box on your Home screen that says Add a network as shown below. Adding a network to your OpenDNS dashboard allows you to use our custom content filtering and stats features. Click on the Add a network box to get started:Once you click Add a network you will get the below screen which asks you to add an IP address. If you are on your home network you will see your current IP address displayed at the top of your dashboard where it says Your current IP is. Copy this number from the top of the screen. This is your current external (public) IP address that is assigned to you by your internet service provider as your network. Use that IP address for your dashboard network:

Next you will get a screen that asks you for a network name and whether or not you have a Dynamic IP address. If you are unsure, you most likely have a dynamic IP address. Most internet service providers lease dynamic IP addresses which means that your IP address can change. Check off “Yes, it is dynamic”.Do not download the software under #3. The DD-WRT software on the router will handle the auto updating for you if you followed the router setup instructions above under “DDNS”. If you have more questions regarding dynamic IP addresses please see Dynamic IP Addresses : Technical Detail and FAQ.

After you add your network you will see the screen below. Time to check your email to verify your IP address.

You should receive an email that looks like the one below, once you click the link your IP address will be verified and you will be taken back to the dashboard.

Configuring Content Filtering Settings: After you have added a network, content filtering can be configured in the Settings tab. Click on the Settings tab and choose the network you added from the Settings for: drop down to open the Web Content Filtering menu for this network. In the Choose your filtering level settings you can choose from one of the levels that are pre-set or chose Custom to select the categories you would like to filter on your network. Custom is powerful and recommended to filter specific categories like Social Media, File Sharing, and Webmail.

Based on our PG-13 presentation, especially for younger kids, please enable the following categories: Adult Themes, Alcohol, Dating, Lingerie/Bikini, P2P/File Sharing, Pornography, Adware, Chat, Drugs, Hate/Discrimination, Gambling, File Storage, Classifieds, Nudity, Phishing, Proxy/Anonymizer, Social Networking, Tasteless, and Webmail (to block web-based email). This is the “magic” of the router. These categories will only apply to those connected to the “Kids Wireless” connection. “Home Wireless” is filtered via Norton ConnectSafe for general pornography and adware.

You can also manage individual domains to customize your filtering settings. For example, if you choose to block the Lingerie/Bikini category but would still like to shop at victoriassecret.com you can add victoriassecret.com to your Never Block list which will allow access to victoriassecret.com while blocking all other domains in that category.For more information on content filtering please see: Web Content Filtering and Security.For more information on configuring the Manage individual domains section please see: Getting Started: Blocking/Allowing Specific Domains with Whitelist/Blacklist.

Configuring Reporting/Statistics: If you would like statistics for your network, first you must Enable stats and logs on your network. To do so, click on the Settings tab, choose the network you added from the Settings for: drop down and click on Stats and Logs from the left hand menu. You will see the option to enable stats and logs, check the box and hit APPLY to enable stats as shown below:
It can take up to 24 hours for stats to initially populate after you enable them, so if you don’t see them right away don’t fret they are coming! When stats begin to populate you can view them in the Stats tab. There are several different ways you can view your stats by choosing the options in the left hand menu:

Testing, FAQs, and more technical information

Almost done. Well done. Now time to test. The “Home Wireless” network uses Norton ConnectSafe. To test your “Home Wireless” network go to playboy.com. IT SHOULD BE BLOCKED. As of 4/15/2015 (and since 2010) the playboy.com homepage is “safe” and does not have pornographic images on the homepage. Assuming you followed the steps above correctly, you should NOT get the playboy.com site and instead get the Norton ConnectSafe block page.

Thankfully OpenDNS has an easy testing website. To test OpenDNS, connect to the “Kids Wireless” connection and go to www.opendns.com/welcome. You should get a large checkmark indicating OpenDNS is setup correctly. If you do NOT get a large checkmark, you have something incorrect in the “Commands” section above (or see NOTE2 below) where you copied/pasted the large block of gray-colored code. Retry and reboot router and PC and retest on “Kids Wireless”.NOTE: OpenDNS will “work” with a green checkmark but that does NOT mean your low/medium/high/custom OpenDNS filtering settings are being applied. You must try a website that you know should be blocked in a category you specified and look for the OpenDNS block page instead of the website loading. For example, if you select “Custom” filtering profile and you then check off to block “Social Media”, this should block Facebook.com. When you go to facebook.com when using the “Kids Wireless” connection it should NOT load facebook.com and instead give you the OpenDNS block page.If for example, you expected Facebook to be blocked based on your OpenDNS categories, and it is not AND you correctly get the checkmark indicator when you go to www.opendns.com/welcome, then your issue is with the “DDNS” section above. Your router is not correctly telling OpenDNS what your home internet connection IP address is and thus not applying your custom filtering categories. This could also be an issue if you did not properly put your modem into bridge mode.NOTE2: The commands above in the “Commands” step that start with “iptables” handle the DNS enforcement. If your kids try to specify their own DNS settings to bypass the filter, the router redirects everything back to its local DNS server (called DNSMasq) which then forwards everything to either OpenDNS (for kids) and Norton ConnectSafe (for parents/Home Wireless).

Last Thoughts: Support & Sharing with Others

I will do my best to assist families. As mentioned in Part 1, I share a passion for Christ and helping parents navigate technology to strengthen families and faith. I, with the help of the pastors, have spent >30 hours putting together this material: the presentation, handout, this router workshop material and equipment. I am trying, in good faith, to have this material stand on its own. That being said, I also know there will be many questions and many unique situations that we cannot document or anticipate. I do anticipate issues; with your internet provider, with a device, with setup questions. I will do my best to respond to comments and questions. Cheers.

For historical reasons, here is the original Word docx (and pdf). Refer to the post for current and updated information.

This took too long to Google the answer. Most information is out-of-date with IE8/IE9 solutions. It is basically a duplicate of this post from Andres Cheah.

The goal is to bypass this dialogue box:

Our users are easily confused.

Using Group Policy Editor

Use gpedit.msc or launch the Group Policy Editor.
Note: In an Active Directory environment, open gpmc.msc and either edit an existing GPO, or create a new one and link it to the domain level, or to an OU of your choice.
Refer to “Group Policy for Beginners” from Microsoft for the basics.

On the right pane, double-click on “Prevent running First Run wizard”. A new settings window will open up.

Set the value to “Enable”.

In the options section you must choose one of the two options from the drop-down menu:

Go directly to “Welcome To IE” page. This configures IE to skip the Welcome screen and and go to the “Welcome to Internet Explorer” page directly.

Go directly to home page. This configures IE to skip the Welcome screen and go directly to your home page. This is the option we chose. You can combo this up with this post from ServerFault to also push a desired homepage to users.You need to choose one of the two, otherwise the configuration will not work.

For those who really want to dig into how IE11 is handling the policy, I later came across this post from chentiangemalc where it details how the policy is applied and the associated ADMX. It also explains why much of the internet is outdated in the older “Prevent performance of First Run Customize Settings” that were used in IE8 and IE9 (e.g. here, here and here).

In a separate upcoming post I will document our trials and security tribulations with Horizon Software and their Village Merchant Point of Sale system (i.e. cash registers with additional functionality). Village Merchant is a SQL-based, 32-bit and, by the looks of the UI, a legacy Visual Basic app.

You are now in Change User Mode so go install programs or change settings that you want to propagate to all users. Add or remove the programs that you want.

That solved problem #1. All users could manually launch the application. And by “manually” I mean you had to launch the “MERCHANT.EXE” from the remote file share on the Horizon server from the full desktop UI.

Solving Problem #2

Again, the “MERCHANT.EXE” executable resides on another server and is accessed via SMB file share using the full UNC path. E.g. \\<FQDN server name>\<shared name>\merchant.exe.

The problem is that in Windows Server 2012 R2, remote or non-local applications cannot be published by RemoteApps. This challenge led me to this post at SpiceWorks on using a locally saved batch file to launch the remote executable. Brilliant.

I created a local batch file (e.g. C:\<folder>\remoteapp.bat) all users could access and it contained one simple line:

The start command dates back to the OS/2 and 16-bit Windows days. It launches an application from a command prompt; simple enough. See here if you if you want to get fancy on window sizing, processor priority, etc. The “ping” command resolved issues where Horizon would launch but not accept keyboard/mouse input.

When adding the remoteapp.bat batch file on the RemoteApp server, I also used the full UNC path; e.g. \\<RemoteApp server FQDN>\<folder>\remoteapp.bat (even though its a local batch file, if you ever add additional RemoteApp servers for your Collection, they will know where to locate the batch file). Enjoy launching remote applications using RemoteApp.

I spent better part of an hour working on why Outlook 2013 would not properly display inline, linked email images. I got the dreaded red “x”.

Backstory: I am working with a team to roll out an improved daily newsletter. After trying Constant Contacts and Mailchimp, I was thoroughly impressed with Mailchimp. For example, Constant Contacts did not have “smart tags” or “merge tags” as Mailchimp calls them. In other words, with Mailchimp I can insert a PHP date code in the heading bar of my email template:

*|DATE:l \t\h\e jS \of F, Y|*

which every day generates a clean date that looks like:

Tuesday the 16th of June, 2015

Back on point: After setting up SPF and DKIM authentication with Mailchimp everything seemed smooth with one major catch: all the images were broken. Mobile devices were fine. Viewing the email in a browsers (IE & Chrome) were fine. It was Outlook.

At my prior employer we had thousands of Dell D630 (my favorite) and E6410 notebooks or, as I like to still call them, laptops. A side thought: a quick search turned up this post on why the term “laptop” has been phased out and an ironic example of Apple’s marketing from back in 2006 (Apple: “don’t put our laptops on your lap”) when “laptops” were transitioning to “notebooks” or “portable computers”.

The Dell D630 and E6410 laptops were bulletproof. After the E6410, HP ProBooks were issued and, in my narrow sample size, did not live up to the same ruggedness. Fast forward to my current leadership role where we have chosen to purchase E6410 refurbished laptops from Newegg. Before jumping to conclusions, recognize our requirements: rugged, TPM equipped for Bitlocker, reliable, readily available parts, reasonable docking stations, and decent battery life. Notice I did not mention “super-fast-ultra-high-performance”. Most users, consistent with our users, have performance as a secondary requirement. With over 100 refurbished E6410 laptops deployed, I can say confidently we were stewards of our financial resources easily saving ~$30,000 in new, current generation Latitude/ProBooks. For those users needing more performance, we simply doubled the RAM to 8GB and swapped in an SSD. The first generation i5 are fast enough.

Back to the original point of this post: artificial power-on time. After having success with the E6410 refurbs, I purchased one for family. After installing a clean copy of Windows 7, I quickly checked the hard drive S.M.A.R.T data. This is what I found:

295,016 hours!Or roughly 12292 days; almost 34 years.

My immediate thought was maybe the company that does the refurbishment somehow alters the S.M.A.R.T. data. Well, a little digging, and I turn up this excellent FAQ courtesy of the open source project Smartmontools.

It turns out the S.M.A.R.T. data is rather vendor specific. Instead of working with the command line and Smartmontools, I downloaded GSmartControl, a UI front-end for Smartmontools, and I got this updated screenshot:

19836 hours + 43 minutes (Hex 1227bb converts to 118981 minutes divided by 60). This is a much more plausible number. Not sure where Crystal Disk got its number.

~2.26 years. I was surprised at the few “Power Cycle Count” at 309 times. The average power up had the drive powered for ~64 hours (19836/309). I was also interested in the high “Load / Unload Cycle” number: 504,004 is high, very high.

Count of load/unload cycles into head landing zone position.[28]Western Digital rates their VelociRaptor drives for 600,000 load/unload cycles,[29] and WD Green drives for 300,000 cycles;[30] the latter ones are designed to unload heads often to conserve power. On the other hand, the WD3000GLFS (a desktop drive) is specified for only 50,000 load/unload cycles.[31]

In other words, if 504,004 is the real “Load / Unload Cycle” number, this hard drive has seen its share of wear-and-tear.

For now, the hard seems to be working fine. One last thing: check out the Smartmontools for Windows Package by Ozy de Jong. It can easily install Smartmontools as a Windows Service and has out-of-the-box email and local warning messages in the event S.M.A.R.T. data detects a problem or failure. In this case, this E6410 is not important enough to warrant self-monitoring via email but for anything critical or any remote systems (e.g. a BlueIris video security recorder that is very hard drive intensive at a remote location).

I was in a difficult position. I had an older family member drive a decent distance to get their PC fixed on-the-spot. Long story short, they use their PC to upload insulin results and without these uploads, they have mandatory visits to the endocrinologist.

After determining the motherboard was the culprit (swapping RAM, PSU, CPU) I swapped their hard drive to another system. Yes, I know a clean install would have been the preferred method. However this is the “real world” and I decided to swap the hard drive rather than struggling to get Java 1.6 working (required for the insulin pump uploads; yes, I know its terrible; thank healthcare vendors), some audio recording software, and a user who needs the same icons, workflows, printer, and Quattro Pro.

Enough introduction. The old system was a Dell Dimension 3100 Windows 7 x86 PC running in AHCI mode. I anticipated boot issues related to different storage controller(s) after the swap. Typically when I am planning to move from one motherboard to another, I will run “sysprep /generalize” before moving. This “preps” Windows for the move and usually gracefully handles new hardware/HAL/storage controller(s).

In this example, I could not boot the original system, so this brings me back to the title of this post: easy2boot. In short, easy2boot is by-far the best USB drive creation tool/utility out there. I needed to run the HDC_fix which attempts to detect the new storage controllers and injects the appropriate drives to an offline system. The HDC_Fix is found on many Windows PE boot .ISOs; e.g. UBCD4Win, Hiren. In this case I used UBCD4Win. My typical bootable USB sticks were not working (the new Acer motherboard seemed to have major issues booting USB devices) and my older boot CDs either were too old or the optical drive was unable to read the burned media.

Step 2: Go to the Download page and get the “Download E2B+DPMS” version (v1.69 at the time of posting). Extract the .zip. I inserted a blank 32GB USB drive. Run the “Make_E2B_USB_Drive.cmd” script to make the 32GB drive bootable with easy2boot. I choose to format the drive as NTFS so it can handle files >4GB without any major drawbacks.

Step 5: Enjoy. The new Acer system booted easy2boot without issue and the easy2boot menu auto-populated the UBCD4Win .ISO. I ran the HDC_fix on the D:\ drive (the actual physical disk). When booting Windows off a USB drive, the C:\ is typically the “RAM Disk” or virtual drive not the actual physical disk/hard drive. It will typically be mounted to another drive letter; e.g. D:\ or E:\. It should be obvious because it will be the correct size and and hopefully an informative partition label. Upon reboot, Windows 7 was happily booting. A few minutes later with new drivers and my relatives were on their way.

Now, the post could end here, but this is where easy2boot really shines. It can boot Windows installer .ISOs. It can even boot UEFI Windows installers; e.g. Windows 8.1 and Server 2012 R2.

So I went to town and copied Windows 7 SP1 x86, x64 and Windows 8.1 x64, and Server 2012 R2 x64, and Windows XP SP3 (for nostalgia) to their respected folders; i.e. \_ISO\WINDOWS\XXX. I also went back to the easy2boot Download page and got the “MPI Tool Pack (MakePartImage)“. (“MPI Tool Pack + Clover Lite v0.048 2015-04-16″ at the time of posting). After extracting the .zip, I ran \ImDisk\imdiskinst.exe to install the virtual disk driver. Then I easily drag-n-dropped the Windows 8.1 .ISO onto the “MakePartImage_AutoRun_FAT32.cmd” batch file and used all the defaults to generate a .imgPTN for Windows 8.1. I placed this new .imgPTN in the \_ISO\MAINMENU\ (not the \_ISO\WINDOWS\XXX folders) and I was able to UEFI boot to install Windows 8.1. Very impressive.

Kudos to rmprep (SteveSi) for developing easy2boot. You earned my donation to support your project.

Lastly, to make my 32GB USB drive even more useful (and since it is NTFS I can put anything else I want on it), I added WSUS Offline.

WSUS Offline is another wonderful project that I have been using and supporting for years. Download WSUS Offline (v9.6 at the time of posting) , extract it to your USB drive, and run the “\wsusoffline\UpdateGenerator.exe”. Pick what versions of Windows you updates for, in my case “w61”, “w61-x64” and “w63-x64” (none of my Windows 8.1/2012 R2 installs are x86), and hit “Start”.

Wait for the updates to download. Depending on your connection speed, it will take some time. Once complete, you now have a USB drive where you can install Windows 7/8.1/2012R2/X and run Windows Updates all from one USB drive. To run the WSUS Offline updates, go to “\wsusoffline\client\UpdateInstaller.exe” and hit “Start”. I usually set it to “Automatic reboot and recall”. It automatically brings a system current on Windows Updates.

Lastly I added a few other root directories on the 32GB USB drive for DRIVERS and UTILITIES.

So to recap, I have a 32GB USB stick that 1) can install different flavors of Windows in BIOS or UEFI modes, 2) can easily and efficiently patch the new Windows install using WSUS Offline, and 3) contains drives and utilities to get the system online and setup. Enjoy.